Debian Bug report logs -
#796255
vlc: CVE-2015-5949
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 20 Aug 2015 19:54:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version vlc/2.2.0~rc2-2
Fixed in versions vlc/2.2.0~rc2-2+deb8u1, vlc/2.2.1-3
Done: Sebastian Ramacher <sramacher@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#796255
; Package src:vlc
.
(Thu, 20 Aug 2015 19:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Thu, 20 Aug 2015 19:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: vlc
Version: 2.2.0~rc2-2
Severity: grave
Tags: security upstream patch fixed-upstream
Justification: user security hole
Control: fixed -1 2.2.0~rc2-2+deb8u1
Hi,
the following vulnerability was published for vlc.
CVE-2015-5949[0]:
No description was found (try on a search engine)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-5949
[1] http://www.ocert.org/advisories/ocert-2015-009.html
[2] https://lists.debian.org/debian-security-announce/2015/msg00241.html
Regards,
Salvatore
Marked as fixed in versions vlc/2.2.0~rc2-2+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 20 Aug 2015 19:54:06 GMT) (full text, mbox, link).
Reply sent
to Sebastian Ramacher <sramacher@debian.org>
:
You have taken responsibility.
(Fri, 21 Aug 2015 06:51:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 21 Aug 2015 06:51:12 GMT) (full text, mbox, link).
Message #12 received at 796255-close@bugs.debian.org (full text, mbox, reply):
Source: vlc
Source-Version: 2.2.1-3
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 796255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 21 Aug 2015 08:22:53 +0200
Source: vlc
Binary: libvlc-dev libvlc5 libvlccore-dev libvlccore8 vlc vlc-data vlc-dbg vlc-nox vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify vlc-plugin-sdl vlc-plugin-svg vlc-plugin-zvbi vlc-plugin-samba vlc-plugin-pulse
Architecture: source all
Version: 2.2.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
libvlc-dev - development files for libvlc
libvlc5 - multimedia player and streamer library
libvlccore-dev - development files for libvlccore
libvlccore8 - base library for VLC and its modules
vlc - multimedia player and streamer
vlc-data - Common data for VLC
vlc-dbg - debugging symbols for vlc
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-fluidsynth - FluidSynth plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-notify - LibNotify plugin for VLC
vlc-plugin-pulse - transitional dummy package for vlc
vlc-plugin-samba - Samba plugin for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svg - SVG plugin for VLC
vlc-plugin-zvbi - VBI teletext plugin for VLC
Closes: 796255
Changes:
vlc (2.2.1-3) unstable; urgency=high
.
* debian/patches/demux-mp4-correctly-match-release-function.patch: Apply
upstream patch to fix CVE-2015-5949. (Closes: #796255)
Checksums-Sha1:
e42b19ead6572eaaba436948047d9e6e55704028 5383 vlc_2.2.1-3.dsc
98b1ef70f44eb546bc9d86ee5b0b8faba3ef34fb 58968 vlc_2.2.1-3.debian.tar.xz
71c135c13092d7b599d3dadeab7eddc3fa65e40a 5404956 vlc-data_2.2.1-3_all.deb
7311454c43301b348c9aeee496b4dbb1deb0b501 860 vlc-plugin-pulse_2.2.1-3_all.deb
Checksums-Sha256:
8dbd965bc794af5dd49afa41470ea5ead57c863601593f9783828428672d4d67 5383 vlc_2.2.1-3.dsc
c184d9a7cee03b047d235bd388739accea8d77cd85da10252e0caa04b7418f43 58968 vlc_2.2.1-3.debian.tar.xz
b1aac7e84261559c151ccbd632e6ca3ea088d5d9554f49980dc9b5bfb08edad9 5404956 vlc-data_2.2.1-3_all.deb
f52d303256700b65f3510edec8831cdd4028da4caf5991108a808d2cb9bc5321 860 vlc-plugin-pulse_2.2.1-3_all.deb
Files:
5010899a703c06dc124216b8d97f95e4 5383 video optional vlc_2.2.1-3.dsc
d611ae7ac3ba135c847881f025f3866d 58968 video optional vlc_2.2.1-3.debian.tar.xz
500a9289863b889967ec1d8ac8237a53 5404956 video optional vlc-data_2.2.1-3_all.deb
f4e4b593e068fbca1fc6b2fa45c1e512 860 video optional vlc-plugin-pulse_2.2.1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJV1sdNAAoJEGny/FFupxmTnuMP/Argpnyuu1ZmIZWvoALl7iMD
aEi7ejs5Ni3diDCN7BiLjHJle35Pb0RLFjiZMuZgBeZHk9QxfDsMVD0v/GXz1yQI
n1LOKyOxUdgqjcqMB81fSkynN9hbBNYvvOrYEicc/kYVySgpfN5OEtn4sTEeBuLu
oISvaYyGEMrvSIKrH1GMqKbLOaAMYaz6yfwEP3vsm6ffxjGnEnwbFz+I0tSfzRMD
bzuNrGFT6lZGuzYgih88wLvvkKCtPQU8iCRa3tVmp0ok2MpQ2CJMZhxCYQoaJ+xU
uux6PLStXNKU1pAYRQQibOSZ9QAp/z9HLgEtwyfCzQjm1E969fUr6eEHAF1mOvf1
0iQo1/Hz05gkJ7XcfzgiD33DCez7JVLO1f/qnOTsk2Yqt35QWpUtA3IVUZBCDGcW
CVbvMh4WxS+/R1oVvlI/qcllrdON3SSX+ZwsT6qPCPp/i+0zPk4EIBu5K154aiJw
0OQVFfrAQAhPKZpzuB5l7EhG2aocp5SK4bkMqgdFYy/inMWMGQZlxJvLNB7ZEQUy
Ouu1UPX2JyAb1mOZXmaMa7NEXdye3nrQw9ACK3/k1SPN90ZmsqxxGJBS8IBCigVO
WNUVDgneQzE9wsv5ij4Copzcylin2lG4d/sYf3qRoZq4fDfNsr4BIg/RQ7XYBkgX
2zmBcR7dvgmbzPHQmJdq
=gGHS
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#796255
; Package src:vlc
.
(Fri, 21 Aug 2015 07:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Ramacher <sramacher@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Fri, 21 Aug 2015 07:03:03 GMT) (full text, mbox, link).
Message #17 received at 796255@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 2015-08-20 21:51:31, Salvatore Bonaccorso wrote:
> Source: vlc
> Version: 2.2.0~rc2-2
> Severity: grave
> Tags: security upstream patch fixed-upstream
> Justification: user security hole
> Control: fixed -1 2.2.0~rc2-2+deb8u1
Is this the way the Security Team works nowadays? No coordination with the
maintainers at all. We could have at least coordinated the fix for sid.
We were also trying to push 2.2.1 to jessie with other fixes for not CVE-worthy
crashes. Admittely, the pu request hasn't gotten a reply from the Release Team
in ages, but still …
Thanks for not coordinating with us.
--
Sebastian Ramacher
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 04 Oct 2015 08:00:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:44:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.